Federal and state government agencies handle massive amounts of email daily; thus, they use email archive solutions to store old messages. This is not just an operational requirement but also a regulatory and legal matter. Two sets of regulations govern the use of electronic media for sending and storing messages: the Federal Records Act (FRA) and the Freedom of Information Act (FOIA).
The FRA states that government employees must use work email accounts for official business and prohibits the use of personal email accounts for work-related purposes. The Freedom of Information Act, on the other hand, requires all records to be made available to the public.
What exactly constitutes a record? The term encompasses all documents and messages created and/or circulated that are related to official business, including both paper and electronic media such as email, instant messages, websites, and text messages. As such, all government agencies and individuals working in them, including elected officials, are expected to comply with both the FRA and the FOIA.
However, there are concerns about the FOIA’s effect on national security. Recently, a contractor with high security clearance managed to print out classified information and leak it to media via email. The said information consisted of a memo with details of a foreign cyber attack on a voting software publisher, which could be contentious given the foreign entity’s suspected interference with the previous elections.
How could these leaks be prevented? While the suspected agent of the leak was a contractor, there were loopholes that allowed access to classified information to individuals who were not in any position to view and disseminate it. The retention, printing, and encryption of the memo in question could have been compromised. The FOIA is very strict about the requirements for retention periods, storage media, encryption levels, and access to documents, and these requirements extend to email archive solutions as well.
The need for more secure email archive solutions is more pronounced given the precarious situation in many areas around the world where the U.S. has citizens and government employees. Despite the high public interest in leaked documents, the intelligence, foreign relations, and defense communities are adamant about protecting classified information that would give them a leg up on parties, foreign or domestic, that would stand to benefit from breaches in national security.
To protect classified information, including archived email messages, government agencies use several standard cipher suites, such as the Advanced Encryption Standard (AES), Digital Signature Standard (DSS), and the Triple Data Encryption Standard (3DES). PGP encryption is also widely used to protect both user accounts and individual messages.
Government agencies also study the threat level faced by their email archive solutions and plan accordingly. Some best practices observed by government entities include storing email archives in at least two geographically remote locations, employing write-once, read-many storage media, indexing data to accommodate for FOIA requests, and verifying if messages are indeed being backed up correctly and according to schedule. These measures are intended to safeguard the security of classified information and the people working on and with it.